Delegated administrator access to Business Central Online
As a Business Central reselling partner, you must set up your employees to work in Partner Center, and you must assign employees to support your customers. There are two types of relationships reselling partners can set up with their customers. Reseller relationships enable the reseller to sell customers Business Central licenses. Granular delegated administration privileges (GDAP) relationships enable users in the reseller's tenant to access and administer the customer's Business Central environments as delegated administrator.
For each relationship type, the partner generates a link in Partner Center that internal Global Administrators in the customer tenant can navigate to accept the relationship. After a customer accepts a partner's request for a GDAP relationship, the partner can assign security groups in their own tenant to one or multiple Microsoft Entra roles that the customer accepted as part of the GDAP relationship.
To administer Business Central as delegated administrator, the recommended least-privileged role to include in your relationship is Dynamics 365 Business Central Administrator, which grants access to the Business Central Business Central administration center and environments in the customer tenant. Find more information about roles supported by Business Central and products and services that integrate with Business Central in Supported Microsoft Entra roles for access.
Tip
Always include the domain or the Microsoft Entra ID of the customer in the URL when you log in as a delegated admin, such as in https://businesscentral.dynamics.com/contoso.com/admin
. This way, you always know exactly which customer you are trying to access.
Managing delegated permissions as a partner
Delegated administrators aren't visible in the customer's Microsoft Entra ID user list and can't be managed by the customer's internal admin. However, when a delegated administrator logs into a Business Central environment, they're automatically created as a user in the environment. This way, the actions performed by a delegated administrator, such as posting documents, are logged and associated with their user ID.
When a delegated administrator first signs in to an environment, the user is created and default permissions are assigned based on the license configuration. Users created for delegated administrators aren't shown with name and other personal information but with a unique ID and their company name. Both internal and external admins can see these users in the Users list, and they have full transparency into what these users do through the change log, for example. GDAP users are listed with user names such as USER_1A2B3C4D5E6F
, and an email address such as [email protected]
, which isn't the person's actual email address. Because they aren't part of their customer's Microsoft Entra ID, their authentication email address isn't an email address at all but reflects the company that they work for, such as Contoso
. This way, the GDAP user accounts don't reveal personal information. If you need to find out who the person behind such a pseudonym is, you'll have to reach out to the company that this user works or worked for.
License configurations determine the default permissions a delegated user gets upon first sign in to an environment. Delegated Dynamics 365 Business Central Administrators are assigned the permissions defined in the Delegated BC Admin agent - Partner license configuration. Delegated Global Administrators are assigned the permissions defined in the Delegated Admin agent - Partner license configuration. Delegated Helpdesk Administrators are assigned the permissions in the Delegated Helpdesk agent - Partner license configuration. After the delegated administrator user is created in the environment, their permissions can be changed from the permissions that were assigned by default. Learn more at Configure permissions based on licenses and Assign permissions to users and groups.
At the partner company, we encourage you to keep track of which user names your technicians and consultants have in your customers' Business Central tenants. For example, you have a consultant who is an admin with GDAP in your partner company's five customers' Business Central. Your consultant can see which customers they have GDAP access to in the Granular administration list in the Administer page in Partner Center. But as an organization, you can also maintain a list of names and IDs.
If a customer removes delegated permissions from you, you can still manage their subscription from the Partner Center, such as adding or removing licenses for their subscription, but you're no longer be able to log into and manage their Business Central environment, Microsoft Entra ID, and other services. You're'also not able to manage their users (add/remove/assign licenses) from the Customer page in the Partner Center.
Limitations for delegated administrators
When you sign in to your customers' Business Central as the delegated administrator from the Business Central administration center, you have access to all areas of their Business Central. However, because you aren't registered as a regular user, there are certain tasks that you can't do.
The following tasks aren't available to the delegated administrator:
Run scheduled tasks in the job queue.
However, delegated administrators can create job queue entries and set them as ready to run. Then, a licensed user from the customer can start the job queue entry. Delegated administrators can also test that the job queue can run without issues, before asking their customer to start it, by using the Run once (foreground) action on the Job Queue Entry card. This action creates a temporary non-recurrent copy of this job and runs it once in the foreground. You can then call it as many times as you need before you hand it over to your customer so that they can start it as a recurrent job. After the job queue completes, it will be put in the on-hold status and can't be rescheduled.
Trigger a web hook or any other application action that relies on the job queue functionality, except by using the Run once (foreground) action.
Use the Invite External Accountant assisted setup guide
Instead, you can add the external user in the Azure portal and assign this user the External Accountant license.
Managing delegated permissions as an internal administrator
As a Microsoft customer organization, you can have multiple partners registered as your resellers. It isn't unusual for a single organization to use one partner as the delegated admin for their Microsoft 365 subscription and another for their Business Central subscription, for example. The services each partner can administer are determined by the Entra roles that are included in the GDAP relationship. For partners managing Business Central, the Dynamics 365 Business Central Administrator role is recommended as the least-privileged role that allows for administration of and access to Business Central environments.
It also isn't unusual for a single organization to have multiple Business Central environments, each managed by a different partner. In this case, the customer would have to accept a GDAP relationship including at least the Dynamics 365 Business Central Administrator role with each partner organization. Internal administrators can use the Partner access settings in the Business Central administration center to enable or disable delegated administrators from administering and accessing each environment, or to only allow delegated administrators from specific partner Entra tenants to administer and access an environment. Learn more in Manage Access to Environments.
Delegated administrators aren't visible in the customer's Microsoft Entra ID user list and can't be managed by the customer's internal admin. However, when a delegated administrator logs into a Business Central environment, they're automatically created as a user in the environment. This way, the actions performed by a delegated administrator, such as posting documents, are logged and associated with their user ID.
When a delegated administrator first signs in to an environment, the user is created and default permissions are assigned based on the license configuration. Users created for delegated administrators aren't shown with name and other personal information but with a unique ID and their company name. Both internal and external admins can see these users in the Users list, and they have full transparency into what these users do through the change log, for example. GDAP users are listed with user names such as USER_1A2B3C4D5E6F
, and an email address such as [email protected]
, which isn't the person's actual email address. Because they aren't part of their customer's Microsoft Entra ID, their authentication email address isn't an email address at all but reflects the company that they work for, such as Contoso
. This way, the GDAP user accounts don't reveal personal information. If you need to find out who the person behind such a pseudonym is, you'll have to reach out to the company that this user works or worked for.
License configurations determine the default permissions a delegated user gets upon first sign in to an environment. Delegated Dynamics 365 Business Central Administrators are assigned the permissions defined in the Delegated BC Admin agent - Partner license configuration. Delegated Global Administrators are assigned the permissions defined in the Delegated Admin agent - Partner license configuration. Delegated Helpdesk Administrators are assigned the permissions in the Delegated Helpdesk agent - Partner license configuration. After the delegated administrator user is created in the environment, their permissions can be changed from the permissions that were assigned by default. Learn more at Configure permissions based on licenses and Assign permissions to users and groups.
Customers can choose to configure conditional access that may restrict delegated admin access further. For example, it's a best practice to set up a conditional access policy to require multi-factor authentication for admins, and to set up terms of use policies. Learn more at Microsoft Entra ID Conditional Access documentation.
If you don't need delegated admin help continuously, you can (temporarily) restrict access for the partner users into your environment. There are several approaches you could take to limit partner access:
- Disable a specific delegated admin user within the Business Central environment. Learn more in How to remove a user's access.
- Remove some or all permissions from the license configurations for delegated administrators to prevent any new delegated administrator users from being assigned those permissions when they first sign in to an environment. Learn more in Configure permissions based on licenses.
- Disable all partners from accessing and administering specific environments in your tenant, or allowlist only specific partners for access if you have GDAP relationships with multiple partners. Learn more in Manage Access to Environments.
- Accept only short-lived GDAP relationships that don't auto-extend whenever a partner has a specific temporary need to access or administer your environments. Internal Global Administrators can view and disable GDAP relationships in the Microsoft 365 Admin Center. Learn more at Customers delegate administration privileges to partners in the Partner Center content.
If your organization decides to terminate a GDAP relationship with a partner or to switch to another partner, you must make sure that some settings that your current partner might have set up in your Business Central administration center are removed. Learn more in Cleaning up settings.
Related information
Administration of Business Central Online
Get Started as a Reseller of Business Central Online
Exporting Databases